Example: Create an IPv6 VPC and Subnets
Using the AWS CLI

The following example uses AWS CLI commands to create a nondefault VPC with an IPv6
CIDR
block, a public subnet, and a private subnet with outbound Internet access only. After
you've
created the VPC and subnets, you can launch an instance in the public subnet and connect
to it.
You can launch an instance in your private subnet and verify that it can connect to
the
Internet. To begin, you must first install and configure the AWS CLI. For more information,
see
Getting Set Up with the AWS Command Line
Interface.

Step 1: Create a VPC and
Subnets

The first step is to create a VPC and two subnets. This example uses the IPv4 CIDR
block
10.0.0.0/16 for the VPC, but you can choose a different CIDR block. For more
information, see VPC and Subnet Sizing.

To create a VPC and subnets using the AWS CLI

Create a VPC with a 10.0.0.0/16 CIDR block and associate an IPv6 CIDR
block with the VPC.

Step 2: Configure a Public
Subnet

After you've created the VPC and subnets, you can make one of the subnets a public
subnet by attaching an Internet gateway to your VPC, creating a custom route table,
and
configuring routing for the subnet to the Internet gateway. In this example, a route
table is
created that routes all IPv4 traffic and IPv6 traffic to an Internet gateway.

The route table is not currently associated with any subnet. Associate it with a
subnet in your VPC so that traffic from that subnet is routed to the Internet gateway.
First, describe your subnets to get their IDs. You can use the --filter
option to return the subnets for your new VPC only, and the --query option to
return only the subnet IDs and their IPv4 and IPv6 CIDR blocks.

Step 3: Configure an
Egress-Only Private Subnet

You can configure the second subnet in your VPC to be an IPv6 egress-only private
subnet. Instances that are launched in this subnet are able to access the Internet
over IPv6
(for example, to get software updates) through an egress-only Internet gateway, but
hosts on
the Internet cannot reach your instances.

To make your subnet an egress-only private subnet

Create an egress-only Internet gateway for your VPC. In the output that's returned,
take note of the gateway ID.

Step 4: Modify the IPv6
Addressing Behavior of the Subnets

You can modify the IP addressing behavior of your subnets so that instances launched
into
the subnets automatically receive IPv6 addresses. When you launch an instance into
the subnet,
a single IPv6 address is assigned from the range of the subnet to the primary network
interface (eth0) of the instance.

Step 5: Launch an Instance
into Your Public Subnet

To test that your public subnet is public and that instances in the subnet are accessible
from the Internet, launch an instance into your public subnet and connect to it. First,
you
must create a security group to associate with your instance, and a key pair with
which you'll
connect to your instance. For more information about security groups, see Security Groups for Your VPC. For more information
about key pairs, see Amazon EC2 Key
Pairs in the Amazon EC2 User Guide for Linux Instances.

To launch and connect to an instance in your public subnet

Create a key pair and use the --query option and the
--output text option to pipe your private key directly into a file with the
.pem extension.

In this example, launch an Amazon Linux instance. If you use an SSH client on a Linux
or OS X
operating system to connect to your instance, use the following command to set the
permissions of your private key file so that only you can read it.

chmod 400 MyKeyPair.pem

Create a security group for your VPC, and add a rule that allows SSH access from any
IPv6 address.

If you use ::/0, you enable all IPv6 addresses to access your instance
using SSH. This is acceptable for this short exercise, but in production, authorize
only
a specific IP address or range of addresses to access your instance.

Launch an instance into your public subnet, using the security group and key pair
that
you've created. In the output, take note of the instance ID for your instance.

In this example, the AMI is an Amazon Linux AMI in the US East (N. Virginia) region.
If you're
in a different region, you need the AMI ID for a suitable AMI in your region. For
more
information, see Finding a Linux
AMI in the Amazon EC2 User Guide for Linux Instances.

Your instance must be in the running state in order to connect to it.
Describe your instance and confirm its state, and take note of its IPv6 address.

When your instance is in the running state, you can connect to it using an SSH client
on a Linux or OS X computer by using the following command. Your local computer must
have
an IPv6 address configured.

Step 6: Launch an
Instance into Your Private Subnet

To test that instances in your egress-only private subnet can access the Internet,
launch
an instance in your private subnet and connect to it using a bastion instance in your
public
subnet (you can use the instance you launched in the previous section). First, you
must create
a security group for the instance. The security group must have a rule that allows
your
bastion instance to connect using SSH, and a rule that allows the ping6 command
(ICMPv6 traffic) to verify that the instance is not accessible from the Internet.

Create a security group in your VPC, and add a rule that allows inbound SSH access
from the IPv6 address of the instance in your public subnet, and a rule that allows
all
ICMPv6 traffic:

To test that hosts on the Internet cannot reach your instance in the private subnet,
use the ping6 command from a computer that's enabled for IPv6. You should get
a timeout response. If you get a valid response, then your instance is accessible
from the
Internet—check the route table that's associated with your private subnet and
verify that it does not have a route for IPv6 traffic to an Internet gateway.

ping6 2001:db8:1234:1a01::456

Step 7: Clean Up

After you've verified that you can connect to your instance in the public subnet and
that your instance in the private subnet can access the Internet, you can terminate
the
instances if you no longer need them. To do this, use the terminate-instances command. To
delete the other resources you've created in this example, use the following commands
in their
listed order: